I noticed on the front of the newspaper today the following story:
Canada slow to act on cyber threat: expert
Electrical grid, banking system, national security at risk
By Vito Pilieci
March 24, 2010
Canada is woefully unprepared for a massive cyber-attack that is within reach of any run-of-the-mill hacker and could cripple the business of the nation, warns a leading security expert.
Edmonton's Dragos Ruiu, a computer security consultant and the main organizer of one of the world's leading cyber-security conferences in Vancouver, says it's time for the government to protect complex computer networks that can be hijacked with the simplest of tools and devastate government business communications.
"There has got be a lot more thought and a lot more talk and a lot more brains applied to the situation," said Ruiu. "The cyber-warfare world is the only place a 17-year-old kid can take on a nation state and win."
Ruiu, a key organizer of the CanSecWest Applied Security Conference, which opens to the world's hacking elite in Vancouver on Wednesday, said when it comes to computer security, even the popular pocket-sized smartphones that people are now carrying are open to attack.
Global governments are taking the threat of Internet-based cyber-attacks seriously. Governments in Russia, China and the United States have greatly altered their defence spending and organization in order to respond to growing cyber-threats from terrorist groups.
Most recently, the U.S. government announced the appointment of a cyber-security czar, Howard Schmidt, responsible for advising the president during an online crisis. The government has also released its $40-billion-US Comprehensive National Cybersecurity Initiative, a national plan outlining the powers the government has and how it will use those powers in the event of an emergency.
Canada has no formal plans about how to respond to a co-ordinated attack by hackers.
In last month's speech from the throne, the federal government announced that a National Cyber-Security Strategy would be forthcoming. The announcement marks the third time in less than a decade that the federal government has said it would be announcing such a strategy; however, so far none have appeared.
"It's confounding that the government hasn't taken this seriously, when over the last couple of years, various vulnerabilities have been shown," said Mark Holland, MP for Ajax-Pickering and Liberal party critic for public safety. "The government hasn't made cyber-security a priority. The fact is, our electric grid could be compromised, the fact our banking systems could be compromised, systems involved in national security could be compromised. If we don't take action it could have serious consequences."
A spokeswoman for Public Safety Minister Vic Toews responded to questions about the state of Canadian cyber-security through an e-mailed statement.
The government is aware of the problems that lax cyber-security measures can pose and acknowledged that Internet-based threats could involve foreign military and intelligence agencies, international cyber-criminals, and cyber-terrorists looking to further military, economic and political objectives.
"At a national level, the impact of cyber-incidents can include: the loss of state secrets; economic disruption and the possible disruption of critical services; and consumer scams and identity theft," said Christine Csversko, Toews's spokeswoman.
She added a national cyber-security strategy will promote public awareness of the problem and "best practices among citizens." It would also provide a high degree of protection of its own government systems.
Csversko would not provide any specifics about the contents of the cyber-security strategy or how it would be applied during an emergency. She said a number of Canadian departments including the Royal Canadian Mounted Police, the Communications Security Establishment and the Canadian Security Intelligence Service are responsible for responding to Canadian cyber-threats.
The reason it has taken so long to create a Canadian cyber-security plan is because the federal government doesn't own the Internet, said Rafal Rohozinski, chief executive of Ottawa's SecDev Group, and best known for the groundbreaking discovery in April of the GhostNet, an international cyber-espionage network. "So much of cyberspace is owned by private-sector actors. Trying to get all of the pieces together is challenging, no two ways about it," said Rohozinski.
Rohozinski believes it would be advantageous if countries worked together to define when and how Internet-based attacks can be used and what type of response is acceptable.
However, he believes it will take the digital equivalent of the A-bombs dropped on Hiroshima or Nagasaki to bring global powers to the table.
"I think that is going to be very hard to do until we see a very catastrophic event that creates the political will to start talking about arms control in cyberspace. Cyberspace is the great equalizer," he said.
"Governments that don't have the defence capabilities to take on other states, certainly can use cyberspace.
The absence of international law allows them to use private hackers or pirates in cyberspace, and actually plays in their favour."